Some embodiments described herein relate generally to methods and apparatus for an authorization server to authenticate an application installed on a mobile communication device before issuing a token for the application. In particular, but not by way of limitation, some embodiments described herein relate to methods and apparatus of authenticating an application by using a randomly-generated verification identifier unique to the application before issuing a token for the application.
Open Authorization (OAuth) is an open standard protocol for authorization, and allows a user, such as an enterprise employee, to grant a third party application access to information associated with that user stored at a given location (e.g., on given website), without sharing that user's account credentials (e.g., password) or the full extent of that user's data. Some known systems use OAuth tokens to authenticate applications for users of a variety of communication devices (e.g., a laptop computer, a personal digital assistant (PDA), a standard mobile telephone, a tablet personal computer (PC), etc.). If the OAuth Authorization Server is unable to authenticate an application before issuing a token, malicious software may be able to obtain the token issued for a valid application and use that token in making application programming interface (API) calls and impersonate the valid application.
Accordingly, a need exists for methods and apparatus for an OAuth Authorization Server to authenticate an application installed on a mobile communication device before issuing a token to that application.